Re: cvs.debian.org problem
On Thu, Jan 30, 2003 at 02:21:35PM -0600, Steve Greenland wrote:
> On 30-Jan-03, 10:55 (CST), Matt Zimmerman <mdz@debian.org> wrote:
> > On Wed, Jan 29, 2003 at 05:40:54PM -0600, Steve Greenland wrote:
> >
> > > apt-get install subversion
> >
> > Not a very good alternative when the problem is network security.
>
> Are you saying that network access via subversion is no more secure than
> CVS pserver? Can you point me at info about this? (I'm not arguing with
> you, I'm just surprised, as I thought one of the goals of svn was better
> c/s than CVS.)
I don't know whether it is a goal or not, but subversion is still very much
under development, and some of its goals have not yet been met.
Currently, the only secure access method for subversion is to use a local
repository. cvs can be quite reasonably secured using rsh-tunneled
operation with ssh, while the only network option for subversion is https,
and subversion does not verify server certificates, leaving the door open
for a man-in-the-middle attack.
At least, this was the case when I last investigated it.
> Or are we talking about different things? My point was that it seemed
> generally agreed that read/write pserver access was basically equivalent
> to giving the user shell access to the server, and thus one is better off
> using an SSH tunnel, because that way at least it's *only* the authorized
> users.
Agreed.
> My assumption and understanding was that svn was better (i.e. more
> restrictive) about this.
I believe it is possible with subversion to grant meaningful read-only
repository access, which would be better than what pserver gives you for
anonymous users.
--
- mdz
Reply to: